From 017e500574f4ed827c98f2ec6e75a64a011aca74 Mon Sep 17 00:00:00 2001 From: rahul-infra Date: Fri, 28 Nov 2025 16:45:24 +0530 Subject: [PATCH 01/14] feat: Introduce cross-account provider configuration allowing Route53 records to be managed in a separate AWS account from the Kong deployment. --- .pre-commit-config.yaml | 3 + README.md | 2 +- examples/complete/.header.md | 4 + examples/complete/README.md | 24 ++++ examples/complete/main.tf | 19 +++ examples/complete/variables.tf | 10 ++ examples/complete/versions.tf | 7 ++ examples/cross-accout/.header.md | 15 +++ examples/cross-accout/README.md | 114 ++++++++++++++++++ examples/cross-accout/main.tf | 31 +++++ examples/{minimal => cross-accout}/outputs.tf | 0 examples/cross-accout/variables.tf | 50 ++++++++ examples/cross-accout/versions.tf | 10 ++ examples/minimal/main.tf | 9 -- examples/minimal/variables.tf | 24 ---- examples/minimal/versions.tf | 3 - examples/{minimal => same-account}/.header.md | 1 + examples/{minimal => same-account}/README.md | 39 ++++++ examples/same-account/main.tf | 23 ++++ examples/same-account/outputs.tf | 0 examples/same-account/variables.tf | 50 ++++++++ examples/same-account/versions.tf | 10 ++ main.tf | 54 ++++++++- variables.tf | 6 + versions.tf | 5 +- 25 files changed, 471 insertions(+), 42 deletions(-) create mode 100644 examples/cross-accout/.header.md create mode 100644 examples/cross-accout/README.md create mode 100644 examples/cross-accout/main.tf rename examples/{minimal => cross-accout}/outputs.tf (100%) create mode 100644 examples/cross-accout/variables.tf create mode 100644 examples/cross-accout/versions.tf delete mode 100644 examples/minimal/main.tf delete mode 100644 examples/minimal/variables.tf delete mode 100644 examples/minimal/versions.tf rename examples/{minimal => same-account}/.header.md (94%) rename examples/{minimal => same-account}/README.md (62%) create mode 100644 examples/same-account/main.tf create mode 100644 examples/same-account/outputs.tf create mode 100644 examples/same-account/variables.tf create mode 100644 examples/same-account/versions.tf diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 83f517c..14e5c29 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -20,6 +20,9 @@ repos: - '--args=--only=terraform_workspace_remote' - '--args=--only=terraform_unused_required_providers' - id: terraform_validate + args: + - --hook-config=--retry-once-with-cleanup=true + files: ^examples/ - repo: https://github.com/pre-commit/pre-commit-hooks rev: v6.0.0 hooks: diff --git a/README.md b/README.md index cbec28f..d8ef620 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ Terraform Module to setup Kong(OSS) in ECS with self managed EC2 instances. # Assumptions -This setup assumes that the `ECS cluster` that has `Auto Scaling Group (ASG)` exist with the name `default`. If you are using different name, you can provide those in the variables section of your Terraform configuration. +This setup assumes that the `ECS cluster` that has `Auto Scaling Group (ASG)` exist with the name `default`. If you are using different name, you can provide those in the variables section of your Terraform configuration.This module also have a provision that your hosted zone can be in same amazon account where your resources are going to create or in a different amazon account. So, if you are having hosted zone in a different account you need to pass IAM role ARN for cross-account Route53 access. ## Adding Parameters to AWS Systems Manager Parameter Store diff --git a/examples/complete/.header.md b/examples/complete/.header.md index 03844b8..1d8565e 100644 --- a/examples/complete/.header.md +++ b/examples/complete/.header.md @@ -40,6 +40,10 @@ cpu_for_kong_task = 512 memory_for_kong_task = 1024 desired_count_for_kong_service = 2 force_new_deployment = true +postgres_engine_version = 16.3 +postgres_major_engine_version = 16 +route53_assume_role_arn = arn:aws:iam::aws-account-id:role/role-name +region = us-east-1 ``` Place this `terraform.tfvars` file in the same directory as your Terraform configuration to automatically load these values. Adjust the values as needed to fit your specific environment and requirements. diff --git a/examples/complete/README.md b/examples/complete/README.md index d27b930..386a3dd 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -1,4 +1,28 @@ +# Complete Example + +This example demonstrates a **production-ready Kong deployment** with all configurable options, including RDS settings, ECS task configuration, monitoring, and cross-account Route53 support. + +## Use Case + +Use this example when you need: +- Full control over RDS database configuration (instance class, storage, backup retention, multi-AZ, etc.) +- Custom ECS task settings (CPU, memory, logging) +- Performance insights and monitoring +- Production-grade setup with deletion protection and backups +- Flexible Route53 DNS configuration (same-account or cross-account) + +## Key Features + +- Comprehensive RDS PostgreSQL configuration with performance insights +- Multi-AZ deployment support for high availability +- Customizable ECS task resources and logging +- SSL/TLS configuration with custom SSL policies +- Cross-account Route53 support via assume role +- Production backup and maintenance windows + +## Usage + ### Example Variable Values Here is an example of how to define the variable values in your `terraform.tfvars` file: diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 5c6179e..d376aac 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -1,6 +1,24 @@ +provider "aws" { + region = var.region +} + +provider "aws" { + alias = "cross_account_provider" + region = var.region + assume_role { + role_arn = var.route53_assume_role_arn + } +} + + module "kong" { source = "../../" + providers = { + aws = aws + aws.cross_account_provider = aws.cross_account_provider + } + vpc_id = var.vpc_id public_subnet_ids = var.public_subnet_ids private_subnet_ids = var.private_subnet_ids @@ -30,4 +48,5 @@ module "kong" { force_new_deployment = var.force_new_deployment postgres_engine_version = var.postgres_engine_version postgres_major_engine_version = var.postgres_major_engine_version + route53_assume_role_arn = var.route53_assume_role_arn } diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index 029f5b8..7301e76 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -132,3 +132,13 @@ variable "postgres_major_engine_version" { description = "The major version of the Postgres engine" type = number } + +variable "route53_assume_role_arn" { + description = "IAM role ARN for cross-account Route53 access." + type = string +} + +variable "region" { + description = "The AWS region" + type = string +} diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf index 1bb2111..a6722f9 100644 --- a/examples/complete/versions.tf +++ b/examples/complete/versions.tf @@ -1,3 +1,10 @@ terraform { required_version = ">= 1.13.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 6.0" + } + } } diff --git a/examples/cross-accout/.header.md b/examples/cross-accout/.header.md new file mode 100644 index 0000000..bf86731 --- /dev/null +++ b/examples/cross-accout/.header.md @@ -0,0 +1,15 @@ +### Example Variable Values + +Here is an example of how to define the variable values in your `terraform.tfvars` file: + +```hcl +vpc_id = "vpc-12345678" +public_subnet_ids = ["subnet-abcdef01", "subnet-abcdef02"] +private_subnet_ids = ["subnet-abcdef03", "subnet-abcdef04"] +kong_public_domain_name = "api.example.com" +kong_admin_domain_name = "admin-api.example.com" +region = "us-east-1" +route53_assume_role_arn = "arn:aws:iam::account-id:role/role-id" +``` + +Place this `terraform.tfvars` file in the same directory as your Terraform configuration to automatically load these values. Adjust the values as needed to fit your specific environment and requirements. diff --git a/examples/cross-accout/README.md b/examples/cross-accout/README.md new file mode 100644 index 0000000..d57a8ba --- /dev/null +++ b/examples/cross-accout/README.md @@ -0,0 +1,114 @@ + +# Cross-Account Example + +This example demonstrates Kong deployment with **Route53 hosted zone in a different AWS account** using cross-account IAM role assumption. + +## Use Case + +Use this example when: +- Your Route53 hosted zone is managed in a separate AWS account (common in enterprise setups) +- You have a centralized DNS management account +- You need to manage DNS records across AWS accounts +- You follow security best practices with separate accounts for different concerns + +## Key Features + +- Cross-account Route53 DNS record management +- IAM role assumption for secure cross-account access +- Separate provider configuration for DNS operations +- Minimal configuration with module defaults for other resources +- Secure cross-account permissions model + +## Provider Configuration + +This example uses two providers: +1. **Default provider** - For Kong infrastructure (VPC, ECS, RDS, ALB) +2. **Cross-account provider** - For Route53 DNS records in a different account + +```hcl +provider "aws" { + alias = "cross_account_provider" + region = var.region + assume_role { + role_arn = var.route53_assume_role_arn # IAM role in DNS account + } +} +``` + +## Prerequisites + +1. An IAM role must exist in the Route53 account that allows the Kong account to assume it +2. The role should have permissions to manage Route53 records +3. Example trust policy for the IAM role in the DNS account: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::KONG_ACCOUNT_ID:root" + }, + "Action": "sts:AssumeRole" + } + ] +} +``` + +## Usage + +### Example Variable Values + +Here is an example of how to define the variable values in your `terraform.tfvars` file: + +```hcl +vpc_id = "vpc-12345678" +public_subnet_ids = ["subnet-abcdef01", "subnet-abcdef02"] +private_subnet_ids = ["subnet-abcdef03", "subnet-abcdef04"] +kong_public_domain_name = "api.example.com" +kong_admin_domain_name = "admin-api.example.com" + +# Cross-account Route53 IAM role (in the DNS account) +route53_assume_role_arn = "arn:aws:iam::DNS_ACCOUNT_ID:role/route53-cross-account-role" + +region = "ap-south-1" +cluster_name = "default" +``` + +Place this `terraform.tfvars` file in the same directory as your Terraform configuration to automatically load these values. Adjust the values as needed to fit your specific environment and requirements. + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.13.0 | + +## Providers + +No providers. + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [kong](#module\_kong) | ../../ | n/a | + +## Resources + +No resources. + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [kong\_admin\_domain\_name](#input\_kong\_admin\_domain\_name) | The admin domain name for Kong | `string` | n/a | yes | +| [kong\_public\_domain\_name](#input\_kong\_public\_domain\_name) | The public domain name for Kong | `string` | n/a | yes | +| [private\_subnet\_ids](#input\_private\_subnet\_ids) | List of private subnet IDs | `list(string)` | n/a | yes | +| [public\_subnet\_ids](#input\_public\_subnet\_ids) | List of public subnet IDs | `list(string)` | n/a | yes | +| [vpc\_id](#input\_vpc\_id) | The ID of the VPC | `string` | n/a | yes | + +## Outputs + +No outputs. + diff --git a/examples/cross-accout/main.tf b/examples/cross-accout/main.tf new file mode 100644 index 0000000..c906bcd --- /dev/null +++ b/examples/cross-accout/main.tf @@ -0,0 +1,31 @@ +provider "aws" { + region = var.region +} + +provider "aws" { + alias = "cross_account_provider" + region = var.region + assume_role { + role_arn = var.route53_assume_role_arn + } +} + + +module "kong" { + source = "../../" + + providers = { + aws = aws + aws.cross_account_provider = aws.cross_account_provider + } + + vpc_id = var.vpc_id + public_subnet_ids = var.public_subnet_ids + private_subnet_ids = var.private_subnet_ids + kong_public_domain_name = var.kong_public_domain_name + kong_admin_domain_name = var.kong_admin_domain_name + cluster_name = var.cluster_name + postgres_engine_version = var.postgres_engine_version + postgres_major_engine_version = var.postgres_major_engine_version + route53_assume_role_arn = var.route53_assume_role_arn +} diff --git a/examples/minimal/outputs.tf b/examples/cross-accout/outputs.tf similarity index 100% rename from examples/minimal/outputs.tf rename to examples/cross-accout/outputs.tf diff --git a/examples/cross-accout/variables.tf b/examples/cross-accout/variables.tf new file mode 100644 index 0000000..0951acf --- /dev/null +++ b/examples/cross-accout/variables.tf @@ -0,0 +1,50 @@ +variable "vpc_id" { + description = "The ID of the VPC" + type = string +} + +variable "public_subnet_ids" { + description = "List of public subnet IDs" + type = list(string) +} + +variable "private_subnet_ids" { + description = "List of private subnet IDs" + type = list(string) +} + +variable "kong_public_domain_name" { + description = "The public domain name for Kong" + type = string +} + +variable "kong_admin_domain_name" { + description = "The admin domain name for Kong" + type = string +} + +variable "cluster_name" { + description = "Name of the cluster" + type = string +} + +variable "postgres_engine_version" { + description = "The version of the Postgres engine" + type = number +} + +variable "postgres_major_engine_version" { + description = "The major version of the Postgres engine" + type = number +} + +variable "route53_assume_role_arn" { + description = "The ARN of the DNS role" + type = string + default = null +} + +variable "region" { + description = "The AWS region" + type = string +} diff --git a/examples/cross-accout/versions.tf b/examples/cross-accout/versions.tf new file mode 100644 index 0000000..a6722f9 --- /dev/null +++ b/examples/cross-accout/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.13.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 6.0" + } + } +} diff --git a/examples/minimal/main.tf b/examples/minimal/main.tf deleted file mode 100644 index 3b34c2b..0000000 --- a/examples/minimal/main.tf +++ /dev/null @@ -1,9 +0,0 @@ -module "kong" { - source = "../../" - - vpc_id = var.vpc_id - public_subnet_ids = var.public_subnet_ids - private_subnet_ids = var.private_subnet_ids - kong_public_domain_name = var.kong_public_domain_name - kong_admin_domain_name = var.kong_admin_domain_name -} diff --git a/examples/minimal/variables.tf b/examples/minimal/variables.tf deleted file mode 100644 index e22619f..0000000 --- a/examples/minimal/variables.tf +++ /dev/null @@ -1,24 +0,0 @@ -variable "vpc_id" { - description = "The ID of the VPC" - type = string -} - -variable "public_subnet_ids" { - description = "List of public subnet IDs" - type = list(string) -} - -variable "private_subnet_ids" { - description = "List of private subnet IDs" - type = list(string) -} - -variable "kong_public_domain_name" { - description = "The public domain name for Kong" - type = string -} - -variable "kong_admin_domain_name" { - description = "The admin domain name for Kong" - type = string -} diff --git a/examples/minimal/versions.tf b/examples/minimal/versions.tf deleted file mode 100644 index 1bb2111..0000000 --- a/examples/minimal/versions.tf +++ /dev/null @@ -1,3 +0,0 @@ -terraform { - required_version = ">= 1.13.0" -} diff --git a/examples/minimal/.header.md b/examples/same-account/.header.md similarity index 94% rename from examples/minimal/.header.md rename to examples/same-account/.header.md index c3a26ec..59326b4 100644 --- a/examples/minimal/.header.md +++ b/examples/same-account/.header.md @@ -8,6 +8,7 @@ public_subnet_ids = ["subnet-abcdef01", "subnet-abcdef02"] private_subnet_ids = ["subnet-abcdef03", "subnet-abcdef04"] kong_public_domain_name = "api.example.com" kong_admin_domain_name = "admin-api.example.com" +region = "us-east-1" ``` Place this `terraform.tfvars` file in the same directory as your Terraform configuration to automatically load these values. Adjust the values as needed to fit your specific environment and requirements. diff --git a/examples/minimal/README.md b/examples/same-account/README.md similarity index 62% rename from examples/minimal/README.md rename to examples/same-account/README.md index c58a60f..dbc366a 100644 --- a/examples/minimal/README.md +++ b/examples/same-account/README.md @@ -1,4 +1,37 @@ +# Same Account Example + +This example demonstrates a **minimal Kong deployment** where all AWS resources, including the Route53 hosted zone, are in the **same AWS account**. + +## Use Case + +Use this example when: +- Your Route53 hosted zone is in the same AWS account as your Kong infrastructure +- You want a simple deployment without cross-account complexity +- You're setting up development, staging, or testing environments +- You need minimal configuration with sensible defaults + +## Key Features + +- Single AWS account setup (no cross-account assume role required) +- Minimal required variables (VPC, subnets, domain names) +- Uses module defaults for RDS and ECS configuration +- Simplified provider configuration +- Quick setup for non-production environments + +## Provider Configuration + +Note that `cross_account_provider` points to the same default AWS provider: + +```hcl +providers = { + aws = aws + aws.cross_account_provider = aws # Same account +} +``` + +## Usage + ### Example Variable Values Here is an example of how to define the variable values in your `terraform.tfvars` file: @@ -9,6 +42,12 @@ public_subnet_ids = ["subnet-abcdef01", "subnet-abcdef02"] private_subnet_ids = ["subnet-abcdef03", "subnet-abcdef04"] kong_public_domain_name = "api.example.com" kong_admin_domain_name = "admin-api.example.com" + +# Same-account setup - no cross-account role needed +route53_assume_role_arn = null + +region = "ap-south-1" +cluster_name = "default" ``` Place this `terraform.tfvars` file in the same directory as your Terraform configuration to automatically load these values. Adjust the values as needed to fit your specific environment and requirements. diff --git a/examples/same-account/main.tf b/examples/same-account/main.tf new file mode 100644 index 0000000..31204aa --- /dev/null +++ b/examples/same-account/main.tf @@ -0,0 +1,23 @@ +provider "aws" { + region = var.region +} + + +module "kong" { + source = "../../" + + providers = { + aws = aws + aws.cross_account_provider = aws + } + + vpc_id = var.vpc_id + public_subnet_ids = var.public_subnet_ids + private_subnet_ids = var.private_subnet_ids + kong_public_domain_name = var.kong_public_domain_name + kong_admin_domain_name = var.kong_admin_domain_name + cluster_name = var.cluster_name + postgres_engine_version = var.postgres_engine_version + postgres_major_engine_version = var.postgres_major_engine_version + route53_assume_role_arn = var.route53_assume_role_arn +} diff --git a/examples/same-account/outputs.tf b/examples/same-account/outputs.tf new file mode 100644 index 0000000..e69de29 diff --git a/examples/same-account/variables.tf b/examples/same-account/variables.tf new file mode 100644 index 0000000..0951acf --- /dev/null +++ b/examples/same-account/variables.tf @@ -0,0 +1,50 @@ +variable "vpc_id" { + description = "The ID of the VPC" + type = string +} + +variable "public_subnet_ids" { + description = "List of public subnet IDs" + type = list(string) +} + +variable "private_subnet_ids" { + description = "List of private subnet IDs" + type = list(string) +} + +variable "kong_public_domain_name" { + description = "The public domain name for Kong" + type = string +} + +variable "kong_admin_domain_name" { + description = "The admin domain name for Kong" + type = string +} + +variable "cluster_name" { + description = "Name of the cluster" + type = string +} + +variable "postgres_engine_version" { + description = "The version of the Postgres engine" + type = number +} + +variable "postgres_major_engine_version" { + description = "The major version of the Postgres engine" + type = number +} + +variable "route53_assume_role_arn" { + description = "The ARN of the DNS role" + type = string + default = null +} + +variable "region" { + description = "The AWS region" + type = string +} diff --git a/examples/same-account/versions.tf b/examples/same-account/versions.tf new file mode 100644 index 0000000..a6722f9 --- /dev/null +++ b/examples/same-account/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.13.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 6.0" + } + } +} diff --git a/main.tf b/main.tf index 9dfbbb8..af165ba 100644 --- a/main.tf +++ b/main.tf @@ -204,7 +204,7 @@ data "aws_ecs_cluster" "this" { module "ecs_kong" { source = "infraspecdev/ecs-deployment/aws" - version = "~> 4.3.4" + version = "4.3.6" vpc_id = var.vpc_id cluster_name = data.aws_ecs_cluster.this.cluster_name @@ -314,6 +314,11 @@ module "ecs_kong" { } create_acm = true + + providers = { + aws = aws, + aws.cross_account_provider = aws.cross_account_provider + } acm_certificates = { (local.kong.public_acm_certificate) = { domain_name = var.kong_public_domain_name @@ -321,10 +326,17 @@ module "ecs_kong" { domain_name = var.kong_public_domain_name validation_domain = var.kong_public_domain_name } - record_zone_id = module.kong_public_dns_record.zone_id + + record_zone_id = ( + var.route53_assume_role_arn != null + ? module.kong_public_dns_record[0].zone_id + : module.kong_public_dns_record_same_account[0].zone_id + ) } } + route53_assume_role_arn = var.route53_assume_role_arn + depends_on = [module.kong_rds] } @@ -389,23 +401,57 @@ module "internal_alb_kong" { ################################################################################ # Route53 Record For Public ALB ################################################################################ - -module "kong_public_dns_record" { +module "kong_public_dns_record_same_account" { + count = var.route53_assume_role_arn == null ? 1 : 0 source = "./modules/route-53-record" domain = var.kong_public_domain_name alb_dns_name = module.ecs_kong.alb_dns_name alb_zone_id = module.ecs_kong.alb_zone_id + + providers = { + aws = aws + } } ################################################################################ # Route53 Record For Internal ALB ################################################################################ +module "kong_internal_dns_record_same_account" { + count = var.route53_assume_role_arn == null ? 1 : 0 + source = "./modules/route-53-record" + + domain = var.kong_admin_domain_name + alb_dns_name = module.internal_alb_kong.dns_name + alb_zone_id = module.ecs_kong.alb_zone_id + + providers = { + aws = aws + } +} + +module "kong_public_dns_record" { + count = var.route53_assume_role_arn != null ? 1 : 0 + source = "./modules/route-53-record" + + domain = var.kong_public_domain_name + alb_dns_name = module.ecs_kong.alb_dns_name + alb_zone_id = module.ecs_kong.alb_zone_id + + providers = { + aws = aws.cross_account_provider + } +} module "kong_internal_dns_record" { + count = var.route53_assume_role_arn != null ? 1 : 0 source = "./modules/route-53-record" domain = var.kong_admin_domain_name alb_dns_name = module.internal_alb_kong.dns_name alb_zone_id = module.ecs_kong.alb_zone_id + + providers = { + aws = aws.cross_account_provider + } } diff --git a/variables.tf b/variables.tf index 085e67c..477c516 100644 --- a/variables.tf +++ b/variables.tf @@ -181,3 +181,9 @@ variable "postgres_major_engine_version" { error_message = "The major PostgreSQL engine version must be 16 or higher." } } + +variable "route53_assume_role_arn" { + description = "ARN of the IAM role to assume in the hosted-zone account (should be null for same-account)." + type = string + default = null +} diff --git a/versions.tf b/versions.tf index 51899a0..59896a8 100644 --- a/versions.tf +++ b/versions.tf @@ -4,7 +4,10 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.5.0" + version = ">= 6.0" + configuration_aliases = [ + aws.cross_account_provider + ] } } } From 71007787686403568e8eb2ada6aa2f885ea47835 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Fri, 28 Nov 2025 11:16:46 +0000 Subject: [PATCH 02/14] terraform-docs: automated action --- README.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index d8ef620..a894db2 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ Terraform Module to setup Kong(OSS) in ECS with self managed EC2 instances. # Assumptions -This setup assumes that the `ECS cluster` that has `Auto Scaling Group (ASG)` exist with the name `default`. If you are using different name, you can provide those in the variables section of your Terraform configuration.This module also have a provision that your hosted zone can be in same amazon account where your resources are going to create or in a different amazon account. So, if you are having hosted zone in a different account you need to pass IAM role ARN for cross-account Route53 access. +This setup assumes that the `ECS cluster` that has `Auto Scaling Group (ASG)` exist with the name `default`. If you are using different name, you can provide those in the variables section of your Terraform configuration. ## Adding Parameters to AWS Systems Manager Parameter Store @@ -29,24 +29,26 @@ aws ssm put-parameter --name "/rds/POSTGRES_DB_NAME" --value "value" --type "Sec | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.13.0 | -| [aws](#requirement\_aws) | >= 5.5.0 | +| [aws](#requirement\_aws) | >= 6.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.5.0 | +| [aws](#provider\_aws) | >= 6.0 | ## Modules | Name | Source | Version | |------|--------|---------| -| [ecs\_kong](#module\_ecs\_kong) | infraspecdev/ecs-deployment/aws | ~> 4.3.4 | +| [ecs\_kong](#module\_ecs\_kong) | infraspecdev/ecs-deployment/aws | 4.3.6 | | [ecs\_task\_security\_group](#module\_ecs\_task\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.3.0 | | [internal\_alb\_kong](#module\_internal\_alb\_kong) | infraspecdev/ecs-deployment/aws//modules/alb | ~> 4.3.4 | | [internal\_alb\_security\_group](#module\_internal\_alb\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.3.0 | | [kong\_internal\_dns\_record](#module\_kong\_internal\_dns\_record) | ./modules/route-53-record | n/a | +| [kong\_internal\_dns\_record\_same\_account](#module\_kong\_internal\_dns\_record\_same\_account) | ./modules/route-53-record | n/a | | [kong\_public\_dns\_record](#module\_kong\_public\_dns\_record) | ./modules/route-53-record | n/a | +| [kong\_public\_dns\_record\_same\_account](#module\_kong\_public\_dns\_record\_same\_account) | ./modules/route-53-record | n/a | | [kong\_rds](#module\_kong\_rds) | terraform-aws-modules/rds/aws | ~> 6.13.0 | | [postgres\_security\_group](#module\_postgres\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.3.0 | | [public\_alb\_security\_group](#module\_public\_alb\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.3.0 | @@ -92,6 +94,7 @@ aws ssm put-parameter --name "/rds/POSTGRES_DB_NAME" --value "value" --type "Sec | [public\_subnet\_ids](#input\_public\_subnet\_ids) | List of public subnet IDs for public-facing load balancers | `list(string)` | n/a | yes | | [rds\_db\_tags](#input\_rds\_db\_tags) | List of tags | `map(string)` | `{}` | no | | [rds\_instance\_class](#input\_rds\_instance\_class) | The RDS instance class for Kong database (e.g., db.t3.micro, db.r5.large) | `string` | `"db.t3.micro"` | no | +| [route53\_assume\_role\_arn](#input\_route53\_assume\_role\_arn) | ARN of the IAM role to assume in the hosted-zone account (should be null for same-account). | `string` | `null` | no | | [ssl\_policy](#input\_ssl\_policy) | Name of the SSL Policy for the listener. | `string` | `"ELBSecurityPolicy-2016-08"` | no | | [vpc\_id](#input\_vpc\_id) | The ID of the VPC where Kong infrastructure will be deployed | `string` | n/a | yes | From 1872837b8741f3050edcedd8c5163fcdb9c2a90c Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Fri, 28 Nov 2025 11:16:48 +0000 Subject: [PATCH 03/14] terraform-docs: automated action --- examples/complete/README.md | 31 ++++---------- examples/cross-accout/README.md | 73 ++++----------------------------- examples/same-account/README.md | 46 ++++----------------- 3 files changed, 22 insertions(+), 128 deletions(-) diff --git a/examples/complete/README.md b/examples/complete/README.md index 386a3dd..2ffa933 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -1,28 +1,4 @@ -# Complete Example - -This example demonstrates a **production-ready Kong deployment** with all configurable options, including RDS settings, ECS task configuration, monitoring, and cross-account Route53 support. - -## Use Case - -Use this example when you need: -- Full control over RDS database configuration (instance class, storage, backup retention, multi-AZ, etc.) -- Custom ECS task settings (CPU, memory, logging) -- Performance insights and monitoring -- Production-grade setup with deletion protection and backups -- Flexible Route53 DNS configuration (same-account or cross-account) - -## Key Features - -- Comprehensive RDS PostgreSQL configuration with performance insights -- Multi-AZ deployment support for high availability -- Customizable ECS task resources and logging -- SSL/TLS configuration with custom SSL policies -- Cross-account Route53 support via assume role -- Production backup and maintenance windows - -## Usage - ### Example Variable Values Here is an example of how to define the variable values in your `terraform.tfvars` file: @@ -65,6 +41,10 @@ cpu_for_kong_task = 512 memory_for_kong_task = 1024 desired_count_for_kong_service = 2 force_new_deployment = true +postgres_engine_version = 16.3 +postgres_major_engine_version = 16 +route53_assume_role_arn = arn:aws:iam::aws-account-id:role/role-name +region = us-east-1 ``` Place this `terraform.tfvars` file in the same directory as your Terraform configuration to automatically load these values. Adjust the values as needed to fit your specific environment and requirements. @@ -74,6 +54,7 @@ Place this `terraform.tfvars` file in the same directory as your Terraform confi | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.13.0 | +| [aws](#requirement\_aws) | >= 6.0 | ## Providers @@ -118,6 +99,8 @@ No resources. | [public\_subnet\_ids](#input\_public\_subnet\_ids) | List of public subnet IDs | `list(string)` | n/a | yes | | [rds\_db\_tags](#input\_rds\_db\_tags) | List of tags | `map(string)` | n/a | yes | | [rds\_instance\_class](#input\_rds\_instance\_class) | The instance class to use | `string` | n/a | yes | +| [region](#input\_region) | The AWS region | `string` | n/a | yes | +| [route53\_assume\_role\_arn](#input\_route53\_assume\_role\_arn) | IAM role ARN for cross-account Route53 access. | `string` | n/a | yes | | [ssl\_policy](#input\_ssl\_policy) | (Optional) Name of the SSL Policy for the listener. | `string` | n/a | yes | | [vpc\_id](#input\_vpc\_id) | The ID of the VPC | `string` | n/a | yes | diff --git a/examples/cross-accout/README.md b/examples/cross-accout/README.md index d57a8ba..119a8ab 100644 --- a/examples/cross-accout/README.md +++ b/examples/cross-accout/README.md @@ -1,63 +1,4 @@ -# Cross-Account Example - -This example demonstrates Kong deployment with **Route53 hosted zone in a different AWS account** using cross-account IAM role assumption. - -## Use Case - -Use this example when: -- Your Route53 hosted zone is managed in a separate AWS account (common in enterprise setups) -- You have a centralized DNS management account -- You need to manage DNS records across AWS accounts -- You follow security best practices with separate accounts for different concerns - -## Key Features - -- Cross-account Route53 DNS record management -- IAM role assumption for secure cross-account access -- Separate provider configuration for DNS operations -- Minimal configuration with module defaults for other resources -- Secure cross-account permissions model - -## Provider Configuration - -This example uses two providers: -1. **Default provider** - For Kong infrastructure (VPC, ECS, RDS, ALB) -2. **Cross-account provider** - For Route53 DNS records in a different account - -```hcl -provider "aws" { - alias = "cross_account_provider" - region = var.region - assume_role { - role_arn = var.route53_assume_role_arn # IAM role in DNS account - } -} -``` - -## Prerequisites - -1. An IAM role must exist in the Route53 account that allows the Kong account to assume it -2. The role should have permissions to manage Route53 records -3. Example trust policy for the IAM role in the DNS account: - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::KONG_ACCOUNT_ID:root" - }, - "Action": "sts:AssumeRole" - } - ] -} -``` - -## Usage - ### Example Variable Values Here is an example of how to define the variable values in your `terraform.tfvars` file: @@ -68,12 +9,8 @@ public_subnet_ids = ["subnet-abcdef01", "subnet-abcdef02"] private_subnet_ids = ["subnet-abcdef03", "subnet-abcdef04"] kong_public_domain_name = "api.example.com" kong_admin_domain_name = "admin-api.example.com" - -# Cross-account Route53 IAM role (in the DNS account) -route53_assume_role_arn = "arn:aws:iam::DNS_ACCOUNT_ID:role/route53-cross-account-role" - -region = "ap-south-1" -cluster_name = "default" +region = "us-east-1" +route53_assume_role_arn = "arn:aws:iam::account-id:role/role-id" ``` Place this `terraform.tfvars` file in the same directory as your Terraform configuration to automatically load these values. Adjust the values as needed to fit your specific environment and requirements. @@ -83,6 +20,7 @@ Place this `terraform.tfvars` file in the same directory as your Terraform confi | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.13.0 | +| [aws](#requirement\_aws) | >= 6.0 | ## Providers @@ -102,10 +40,15 @@ No resources. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [cluster\_name](#input\_cluster\_name) | Name of the cluster | `string` | n/a | yes | | [kong\_admin\_domain\_name](#input\_kong\_admin\_domain\_name) | The admin domain name for Kong | `string` | n/a | yes | | [kong\_public\_domain\_name](#input\_kong\_public\_domain\_name) | The public domain name for Kong | `string` | n/a | yes | +| [postgres\_engine\_version](#input\_postgres\_engine\_version) | The version of the Postgres engine | `number` | n/a | yes | +| [postgres\_major\_engine\_version](#input\_postgres\_major\_engine\_version) | The major version of the Postgres engine | `number` | n/a | yes | | [private\_subnet\_ids](#input\_private\_subnet\_ids) | List of private subnet IDs | `list(string)` | n/a | yes | | [public\_subnet\_ids](#input\_public\_subnet\_ids) | List of public subnet IDs | `list(string)` | n/a | yes | +| [region](#input\_region) | The AWS region | `string` | n/a | yes | +| [route53\_assume\_role\_arn](#input\_route53\_assume\_role\_arn) | The ARN of the DNS role | `string` | `null` | no | | [vpc\_id](#input\_vpc\_id) | The ID of the VPC | `string` | n/a | yes | ## Outputs diff --git a/examples/same-account/README.md b/examples/same-account/README.md index dbc366a..e7fd326 100644 --- a/examples/same-account/README.md +++ b/examples/same-account/README.md @@ -1,37 +1,4 @@ -# Same Account Example - -This example demonstrates a **minimal Kong deployment** where all AWS resources, including the Route53 hosted zone, are in the **same AWS account**. - -## Use Case - -Use this example when: -- Your Route53 hosted zone is in the same AWS account as your Kong infrastructure -- You want a simple deployment without cross-account complexity -- You're setting up development, staging, or testing environments -- You need minimal configuration with sensible defaults - -## Key Features - -- Single AWS account setup (no cross-account assume role required) -- Minimal required variables (VPC, subnets, domain names) -- Uses module defaults for RDS and ECS configuration -- Simplified provider configuration -- Quick setup for non-production environments - -## Provider Configuration - -Note that `cross_account_provider` points to the same default AWS provider: - -```hcl -providers = { - aws = aws - aws.cross_account_provider = aws # Same account -} -``` - -## Usage - ### Example Variable Values Here is an example of how to define the variable values in your `terraform.tfvars` file: @@ -42,12 +9,7 @@ public_subnet_ids = ["subnet-abcdef01", "subnet-abcdef02"] private_subnet_ids = ["subnet-abcdef03", "subnet-abcdef04"] kong_public_domain_name = "api.example.com" kong_admin_domain_name = "admin-api.example.com" - -# Same-account setup - no cross-account role needed -route53_assume_role_arn = null - -region = "ap-south-1" -cluster_name = "default" +region = "us-east-1" ``` Place this `terraform.tfvars` file in the same directory as your Terraform configuration to automatically load these values. Adjust the values as needed to fit your specific environment and requirements. @@ -57,6 +19,7 @@ Place this `terraform.tfvars` file in the same directory as your Terraform confi | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.13.0 | +| [aws](#requirement\_aws) | >= 6.0 | ## Providers @@ -76,10 +39,15 @@ No resources. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [cluster\_name](#input\_cluster\_name) | Name of the cluster | `string` | n/a | yes | | [kong\_admin\_domain\_name](#input\_kong\_admin\_domain\_name) | The admin domain name for Kong | `string` | n/a | yes | | [kong\_public\_domain\_name](#input\_kong\_public\_domain\_name) | The public domain name for Kong | `string` | n/a | yes | +| [postgres\_engine\_version](#input\_postgres\_engine\_version) | The version of the Postgres engine | `number` | n/a | yes | +| [postgres\_major\_engine\_version](#input\_postgres\_major\_engine\_version) | The major version of the Postgres engine | `number` | n/a | yes | | [private\_subnet\_ids](#input\_private\_subnet\_ids) | List of private subnet IDs | `list(string)` | n/a | yes | | [public\_subnet\_ids](#input\_public\_subnet\_ids) | List of public subnet IDs | `list(string)` | n/a | yes | +| [region](#input\_region) | The AWS region | `string` | n/a | yes | +| [route53\_assume\_role\_arn](#input\_route53\_assume\_role\_arn) | The ARN of the DNS role | `string` | `null` | no | | [vpc\_id](#input\_vpc\_id) | The ID of the VPC | `string` | n/a | yes | ## Outputs From 4c1b63713ab359105d19b322f79091645224c2a6 Mon Sep 17 00:00:00 2001 From: rahul-infra Date: Fri, 28 Nov 2025 18:18:29 +0530 Subject: [PATCH 04/14] updated terraform version. --- .github/workflows/terraform-checks.yaml | 2 +- .github/workflows/terraform-docs.yaml | 2 +- main.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/terraform-checks.yaml b/.github/workflows/terraform-checks.yaml index 2a9c21a..7dcaeb3 100644 --- a/.github/workflows/terraform-checks.yaml +++ b/.github/workflows/terraform-checks.yaml @@ -15,7 +15,7 @@ jobs: - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: - terraform_version: "1.13.1" + terraform_version: "1.14.0" - name: Initialize Terraform id: init diff --git a/.github/workflows/terraform-docs.yaml b/.github/workflows/terraform-docs.yaml index 45e78f5..ce875c5 100644 --- a/.github/workflows/terraform-docs.yaml +++ b/.github/workflows/terraform-docs.yaml @@ -21,7 +21,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v5 with: - ref: ${{ github.event_name == 'pull_request' && github.head_ref || github.ref }} + ref: ${{ github.event_name == 'pull_request' && github.head_ref || github.event.pull_request.head.ref || github.ref }} token: ${{ secrets.GITHUB_TOKEN }} - name: Render and Push terraform docs for main module diff --git a/main.tf b/main.tf index af165ba..d0ed304 100644 --- a/main.tf +++ b/main.tf @@ -316,7 +316,7 @@ module "ecs_kong" { create_acm = true providers = { - aws = aws, + aws = aws aws.cross_account_provider = aws.cross_account_provider } acm_certificates = { From 46c7c1484ecf17cce1ee2bfa1826d0c603e24d43 Mon Sep 17 00:00:00 2001 From: rahul-infra Date: Mon, 1 Dec 2025 09:58:42 +0530 Subject: [PATCH 05/14] Made changes in main.tf. --- .github/workflows/terraform-checks.yaml | 57 ++++++++++++++++++++++++- examples/same-account/main.tf | 1 - main.tf | 26 ++++++++--- 3 files changed, 77 insertions(+), 7 deletions(-) diff --git a/.github/workflows/terraform-checks.yaml b/.github/workflows/terraform-checks.yaml index 7dcaeb3..8683ec6 100644 --- a/.github/workflows/terraform-checks.yaml +++ b/.github/workflows/terraform-checks.yaml @@ -15,7 +15,7 @@ jobs: - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: - terraform_version: "1.14.0" + terraform_version: "1.13.0" - name: Initialize Terraform id: init @@ -25,6 +25,27 @@ jobs: id: fmt run: terraform test + validateExamples: + name: Terraform Validate Examples + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: "1.6.0" + + - name: Validate all example folders + run: | + for dir in examples/*/; do + echo "Validating $dir" + terraform -chdir="$dir" init -input=false > /dev/null + terraform -chdir="$dir" validate + done + collectInputs: name: Collect workflow inputs needs: test @@ -64,6 +85,23 @@ jobs: with: directory: ${{ matrix.directory }} + - name: Inject CI provider configs + run: | + echo "Injecting provider configs for CI..." + for dir in examples/*/; do + cat < $dir/ci-providers.tf + provider "aws" { + region = "ap-south-1" + } + + provider "aws" { + alias = "cross_account_provider" + region = "ap-south-1" + } + EOF + done + + - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }} # Run only validate pre-commit check on min version supported if: ${{ matrix.directory != '.' }} @@ -105,6 +143,23 @@ jobs: id: minMax uses: clowdhaus/terraform-min-max@v2.1.0 + - name: Inject CI provider configs + run: | + echo "Injecting provider configs for CI..." + for dir in examples/*/; do + cat < $dir/ci-providers.tf + provider "aws" { + region = "ap-south-1" + } + + provider "aws" { + alias = "cross_account_provider" + region = "ap-south-1" + } + EOF + done + + - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }} uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0 with: diff --git a/examples/same-account/main.tf b/examples/same-account/main.tf index 31204aa..5224114 100644 --- a/examples/same-account/main.tf +++ b/examples/same-account/main.tf @@ -2,7 +2,6 @@ provider "aws" { region = var.region } - module "kong" { source = "../../" diff --git a/main.tf b/main.tf index d0ed304..6fb7648 100644 --- a/main.tf +++ b/main.tf @@ -15,6 +15,10 @@ data "aws_ssm_parameter" "rds" { module "postgres_security_group" { source = "terraform-aws-modules/security-group/aws" version = "~> 5.3.0" + providers = { + aws = aws + } + name = local.rds.sg_name description = local.rds.sg_description @@ -45,6 +49,9 @@ module "postgres_security_group" { module "kong_rds" { source = "terraform-aws-modules/rds/aws" version = "~> 6.13.0" + providers = { + aws = aws + } identifier = local.rds.db_identifier engine = local.rds.engine @@ -86,6 +93,9 @@ module "kong_rds" { module "internal_alb_security_group" { source = "terraform-aws-modules/security-group/aws" version = "~> 5.3.0" + providers = { + aws = aws + } name = local.kong.alb_sg_name vpc_id = var.vpc_id @@ -113,6 +123,9 @@ module "internal_alb_security_group" { module "public_alb_security_group" { source = "terraform-aws-modules/security-group/aws" version = "~> 5.3.0" + providers = { + aws = aws + } name = local.kong.alb_sg_name vpc_id = var.vpc_id @@ -143,6 +156,9 @@ module "public_alb_security_group" { module "ecs_task_security_group" { source = "terraform-aws-modules/security-group/aws" version = "~> 5.3.0" + providers = { + aws = aws + } name = local.kong.ecs_task_sg_name vpc_id = var.vpc_id @@ -206,6 +222,11 @@ module "ecs_kong" { source = "infraspecdev/ecs-deployment/aws" version = "4.3.6" + providers = { + aws = aws + aws.cross_account_provider = aws.cross_account_provider + } + vpc_id = var.vpc_id cluster_name = data.aws_ecs_cluster.this.cluster_name @@ -314,11 +335,6 @@ module "ecs_kong" { } create_acm = true - - providers = { - aws = aws - aws.cross_account_provider = aws.cross_account_provider - } acm_certificates = { (local.kong.public_acm_certificate) = { domain_name = var.kong_public_domain_name From d2b582e60468bf267b4961a7c839288385b8d255 Mon Sep 17 00:00:00 2001 From: rahul-infra Date: Mon, 1 Dec 2025 10:03:23 +0530 Subject: [PATCH 06/14] changed precommit files. --- .pre-commit-config.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 14e5c29..2ab7953 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -14,11 +14,8 @@ repos: - '--args=--only=terraform_typed_variables' - '--args=--only=terraform_module_pinned_source' - '--args=--only=terraform_naming_convention' - - '--args=--only=terraform_required_version' - - '--args=--only=terraform_required_providers' - '--args=--only=terraform_standard_module_structure' - '--args=--only=terraform_workspace_remote' - - '--args=--only=terraform_unused_required_providers' - id: terraform_validate args: - --hook-config=--retry-once-with-cleanup=true From 5a8b0a4b22aac5ca82c1ddcbceb4522719e1a886 Mon Sep 17 00:00:00 2001 From: rahul-infra Date: Mon, 1 Dec 2025 10:45:27 +0530 Subject: [PATCH 07/14] made changes in github workflow. --- .github/workflows/terraform-checks.yaml | 36 ------------------------- 1 file changed, 36 deletions(-) diff --git a/.github/workflows/terraform-checks.yaml b/.github/workflows/terraform-checks.yaml index 8683ec6..5eb9238 100644 --- a/.github/workflows/terraform-checks.yaml +++ b/.github/workflows/terraform-checks.yaml @@ -84,24 +84,6 @@ jobs: uses: clowdhaus/terraform-min-max@v2.1.0 with: directory: ${{ matrix.directory }} - - - name: Inject CI provider configs - run: | - echo "Injecting provider configs for CI..." - for dir in examples/*/; do - cat < $dir/ci-providers.tf - provider "aws" { - region = "ap-south-1" - } - - provider "aws" { - alias = "cross_account_provider" - region = "ap-south-1" - } - EOF - done - - - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }} # Run only validate pre-commit check on min version supported if: ${{ matrix.directory != '.' }} @@ -142,24 +124,6 @@ jobs: - name: Terraform min/max versions id: minMax uses: clowdhaus/terraform-min-max@v2.1.0 - - - name: Inject CI provider configs - run: | - echo "Injecting provider configs for CI..." - for dir in examples/*/; do - cat < $dir/ci-providers.tf - provider "aws" { - region = "ap-south-1" - } - - provider "aws" { - alias = "cross_account_provider" - region = "ap-south-1" - } - EOF - done - - - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }} uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0 with: From 30152e8bc1ab22ee7265d638b8eafad86efb6a32 Mon Sep 17 00:00:00 2001 From: rahul-infra Date: Mon, 1 Dec 2025 10:49:50 +0530 Subject: [PATCH 08/14] made changes in validating examples --- .github/workflows/terraform-checks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/terraform-checks.yaml b/.github/workflows/terraform-checks.yaml index 5eb9238..34f7141 100644 --- a/.github/workflows/terraform-checks.yaml +++ b/.github/workflows/terraform-checks.yaml @@ -36,7 +36,7 @@ jobs: - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: - terraform_version: "1.6.0" + terraform_version: "1.13.0" - name: Validate all example folders run: | From b2f6c775eb5c52eb651928ccf34abf5ce59c9c47 Mon Sep 17 00:00:00 2001 From: rahul-infra Date: Mon, 1 Dec 2025 11:14:01 +0530 Subject: [PATCH 09/14] made changes in github actions --- .github/workflows/terraform-checks.yaml | 25 +++++++++++++++++-------- .pre-commit-config.yaml | 3 +++ main.tf | 16 ---------------- 3 files changed, 20 insertions(+), 24 deletions(-) diff --git a/.github/workflows/terraform-checks.yaml b/.github/workflows/terraform-checks.yaml index 34f7141..95a692e 100644 --- a/.github/workflows/terraform-checks.yaml +++ b/.github/workflows/terraform-checks.yaml @@ -12,6 +12,12 @@ jobs: name: Test runs-on: ubuntu-latest steps: + - name: Checkout + uses: actions/checkout@v5 + with: + fetch-depth: 0 + ref: ${{ github.event.pull_request.head.sha || github.sha }} + - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: @@ -55,6 +61,9 @@ jobs: steps: - name: Checkout uses: actions/checkout@v5 + with: + fetch-depth: 0 + ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Get root directories id: dirs @@ -67,8 +76,8 @@ jobs: strategy: matrix: directory: ${{ fromJson(needs.collectInputs.outputs.directories) }} + steps: - # https://github.com/orgs/community/discussions/25678#discussioncomment-5242449 - name: Delete huge unnecessary tools folder run: | rm -rf /opt/hostedtoolcache/CodeQL @@ -78,6 +87,9 @@ jobs: - name: Checkout uses: actions/checkout@v5 + with: + fetch-depth: 0 + ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Terraform min/max versions id: minMax @@ -85,8 +97,7 @@ jobs: with: directory: ${{ matrix.directory }} - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }} - # Run only validate pre-commit check on min version supported - if: ${{ matrix.directory != '.' }} + if: ${{ matrix.directory != '.' }} uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0 with: terraform-version: ${{ steps.minMax.outputs.minVersion }} @@ -94,8 +105,7 @@ jobs: args: 'terraform_validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*' - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }} - # Run only validate pre-commit check on min version supported - if: ${{ matrix.directory == '.' }} + if: ${{ matrix.directory == '.' }} uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0 with: terraform-version: ${{ steps.minMax.outputs.minVersion }} @@ -107,7 +117,6 @@ jobs: runs-on: ubuntu-latest needs: collectInputs steps: - # https://github.com/orgs/community/discussions/25678#discussioncomment-5242449 - name: Delete huge unnecessary tools folder run: | rm -rf /opt/hostedtoolcache/CodeQL @@ -118,8 +127,8 @@ jobs: - name: Checkout uses: actions/checkout@v5 with: - ref: ${{ github.event_name == 'pull_request' && github.head_ref || github.ref }} - token: ${{ secrets.GITHUB_TOKEN }} + fetch-depth: 0 + ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Terraform min/max versions id: minMax diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 2ab7953..14e5c29 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -14,8 +14,11 @@ repos: - '--args=--only=terraform_typed_variables' - '--args=--only=terraform_module_pinned_source' - '--args=--only=terraform_naming_convention' + - '--args=--only=terraform_required_version' + - '--args=--only=terraform_required_providers' - '--args=--only=terraform_standard_module_structure' - '--args=--only=terraform_workspace_remote' + - '--args=--only=terraform_unused_required_providers' - id: terraform_validate args: - --hook-config=--retry-once-with-cleanup=true diff --git a/main.tf b/main.tf index 6fb7648..6e0ff7f 100644 --- a/main.tf +++ b/main.tf @@ -15,10 +15,6 @@ data "aws_ssm_parameter" "rds" { module "postgres_security_group" { source = "terraform-aws-modules/security-group/aws" version = "~> 5.3.0" - providers = { - aws = aws - } - name = local.rds.sg_name description = local.rds.sg_description @@ -49,9 +45,6 @@ module "postgres_security_group" { module "kong_rds" { source = "terraform-aws-modules/rds/aws" version = "~> 6.13.0" - providers = { - aws = aws - } identifier = local.rds.db_identifier engine = local.rds.engine @@ -93,9 +86,6 @@ module "kong_rds" { module "internal_alb_security_group" { source = "terraform-aws-modules/security-group/aws" version = "~> 5.3.0" - providers = { - aws = aws - } name = local.kong.alb_sg_name vpc_id = var.vpc_id @@ -123,9 +113,6 @@ module "internal_alb_security_group" { module "public_alb_security_group" { source = "terraform-aws-modules/security-group/aws" version = "~> 5.3.0" - providers = { - aws = aws - } name = local.kong.alb_sg_name vpc_id = var.vpc_id @@ -156,9 +143,6 @@ module "public_alb_security_group" { module "ecs_task_security_group" { source = "terraform-aws-modules/security-group/aws" version = "~> 5.3.0" - providers = { - aws = aws - } name = local.kong.ecs_task_sg_name vpc_id = var.vpc_id From 9352ffdbe5b1ae2f7079b5e9b13f2337022ce0b8 Mon Sep 17 00:00:00 2001 From: rahul-infra Date: Mon, 1 Dec 2025 11:33:56 +0530 Subject: [PATCH 10/14] Made some change in running pull request target for github workflows. --- .github/workflows/terraform.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml index 0cbfeca..585b232 100644 --- a/.github/workflows/terraform.yaml +++ b/.github/workflows/terraform.yaml @@ -4,11 +4,6 @@ on: push: branches: - main - pull_request_target: - types: - - opened - - edited - - synchronize pull_request: branches: - main From 00862ae2b03ea9eb97cf22b6cd17654224fb03dc Mon Sep 17 00:00:00 2001 From: rahul-infra Date: Mon, 1 Dec 2025 11:48:56 +0530 Subject: [PATCH 11/14] updated terraform.yaml file. --- .github/workflows/terraform.yaml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml index 585b232..a5b83fb 100644 --- a/.github/workflows/terraform.yaml +++ b/.github/workflows/terraform.yaml @@ -4,14 +4,15 @@ on: push: branches: - main + pull_request_target: + types: + - opened + - edited + - synchronize pull_request: branches: - main -permissions: - contents: write - pull-requests: write - actions: read jobs: prTitlecheck: From ae375e318acb37ac5e61cb5d5e80d6d6e78f752f Mon Sep 17 00:00:00 2001 From: rahul-infra Date: Mon, 1 Dec 2025 11:57:30 +0530 Subject: [PATCH 12/14] running github actions. --- .github/workflows/terraform.yaml | 2 -- .github/workflows/update-configs.yaml | 3 --- 2 files changed, 5 deletions(-) diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml index a5b83fb..0daf72d 100644 --- a/.github/workflows/terraform.yaml +++ b/.github/workflows/terraform.yaml @@ -12,8 +12,6 @@ on: pull_request: branches: - main - - jobs: prTitlecheck: name: PR title check diff --git a/.github/workflows/update-configs.yaml b/.github/workflows/update-configs.yaml index 86623b5..503db39 100644 --- a/.github/workflows/update-configs.yaml +++ b/.github/workflows/update-configs.yaml @@ -3,9 +3,6 @@ on: workflow_dispatch: - permissions: - contents: write - jobs: update: runs-on: ubuntu-latest From 8f7e6a2c7e56ed7be5e4cf4935a7b1407be601d2 Mon Sep 17 00:00:00 2001 From: rahul-infra Date: Mon, 1 Dec 2025 12:00:36 +0530 Subject: [PATCH 13/14] removed pullrequest target --- .github/workflows/terraform.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml index 0daf72d..5639083 100644 --- a/.github/workflows/terraform.yaml +++ b/.github/workflows/terraform.yaml @@ -4,11 +4,6 @@ on: push: branches: - main - pull_request_target: - types: - - opened - - edited - - synchronize pull_request: branches: - main From e5e65ac4e7b679400b73dae70158daa0b3e8f042 Mon Sep 17 00:00:00 2001 From: rahul-infra Date: Mon, 1 Dec 2025 12:05:20 +0530 Subject: [PATCH 14/14] commented prTitle check. --- .github/workflows/terraform.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml index 5639083..e922f27 100644 --- a/.github/workflows/terraform.yaml +++ b/.github/workflows/terraform.yaml @@ -8,10 +8,10 @@ on: branches: - main jobs: - prTitlecheck: - name: PR title check - if: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.base.ref == 'main' }} - uses: ./.github/workflows/pr-title.yaml + # prTitlecheck: + # name: PR title check + # if: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.base.ref == 'main' }} + # uses: ./.github/workflows/pr-title.yaml preCommitCheck: name: Terraform Checks